Confining TeX
by Jan Kasprzak
Hello,
I am implementing a remote TeX server for our users,
and I would like to confine it using SELinux (FC6, targeted policy).
I need help or suggestions on possible approaches. What I want to do
is the following:
- I have a TeX installation in a separate directory
- I want local users to be able to run TeX commands without restrictions
- I want to have a daemon, running under a separate user, which will handle
remote requests for TeX compilation. Under this user/daemon
the TeX commands should be confined, so that they can only
read TeX data files (the texmf/ tree), execute the TeX sub-commands
(i.e. files under <texroot>/bin/ directory) - including the rights
to the system libraries, locales, etc. as necessary. And the confined
processes should write only to the texmf-var tree (autogenerated
bitmap fonts, etc.) and to the temporary directory, reserved for
TeX outputs (logs, DVI files, dvips outputs, etc.).
My current solution is to create the tex_t domain,
and tex_exec_t, tex_data_t, and tex_tmp_t file types, and make the
daemon run "runcon -t tex_t -- tex myfile.tex" instead of plain
"tex myfile.tex".
Maybe there are better approaches than this:
- maybe the "runcon" is not necessary, and TeX executables can be made to
enter the tex_t domain automatically, when started by the UNIX user
under which the daemon runs.
- or maybe I should use SELinux users or roles instead of domains (?)
- or maybe the daemon should run under its own special domain?
The "runcon" approach allows local users to compile also
untrusted TeX sources - i.e. they can be able to run TeX either under their
own context, or via "runcon" in the confined mode.
Any suggestions?
-Yenya
--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
> I will never go to meetings again because I think face to face meetings <
> are the biggest waste of time you can ever have. --Linus Torvalds <
16 years, 6 months
Nagios Web Interface and SELinux
by Ryan Skadberg
I have been trying to get nagios up and running on 2 different
machines. One running FC5 and one running FC6. Nagios itself starts
up fine, but the web interface fails miserably.
When looking at /var/log/messages, I see things like:
Dec 3 11:38:17 xray kernel: audit(1165174697.348:289): avc: denied
{ execute_no_trans } for pid=22237 comm="httpd" name="tac.cgi"
dev=dm-0 ino=11272226 scontext=user_u:system_r:httpd_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file
I noticed in the selinux-policy-targeted Changelog:
* Wed Jul 26 2006 Dan Walsh <dwalsh(a)redhat.com> 2.3.3-13
- Add nagios policy
This may have been for the program itself or maybe the web interface,
but it sure doesn't seem to be working for me.
Both systems are set to:
SELINUX=enforcing
SELINUXTYPE=targeted
SETLOCALDEFS=0
Anyone have any advice on how to fix this?
Thanks!
Skadz
16 years, 7 months
Ooops! I've hosed up selinux, help!
by Knute Johnson
I was playing around with the security settings on my FC6 box and
reset a couple of selinux options. Which ones you ask? Darned if I
can remember. Anyway, it prevents X from starting correctly so I
can't go in and run the security program and fix it. If I disable
selinux, X starts just fine but the options for selinux are not
available in the security program. Even if you start it with selinux
off and the set it on, the options don't show up. Is there a way to
reset all options to default without running X?
Thanks very much,
--
Knute Johnson
Molon Labe...
17 years
Re: "HASHTAB_OVERFLOW" undeclared
by NZzi
Stephen Smalley wrote:
> On Thu, 2007-03-29 at 10:49 +0800, Ken YANG wrote:
>> i want to use findcon to find a type "tmpfs_t".
>> but in FC, there is setools* package contaning findcon.
>> i find that secmds(findcon) is in setools-console subpackage
>> why fc has not this subpackage?
>
> That's a question for Dan Walsh (cc'd above) or fedora-selinux-list.
ok, i have cc to fedora-selinux-list
>
>> i down a setools-3.1-1.src.rpm from tresys site, and encounter
>> a build error:
>>
>> policy_extend.c: In function 'qpol_policy_build_attrs_from_map':
>> policy_extend.c:170: error: 'HASHTAB_OVERFLOW' undeclared (first use in
>> this function)
>> policy_extend.c:170: error: (Each undeclared identifier is reported only
>> once
>> policy_extend.c:170: error: for each function it appears in.)
>> policy_extend.c: In function 'qpol_policy_fill_attr_holes':
>> policy_extend.c:246: error: 'HASHTAB_OVERFLOW' undeclared (first use in
>> this function)
>> make[4]: *** [policy_extend.o] Error 1
>> make[4]: Leaving directory
>> `/workbench/rpmbuild/BUILD/setools-3.1/libqpol/src'
>>
>>
>> i have not find "HASHTAB_OVERFLOW" in selinux trunk, especially in
>> libsepol. where is this symbol defined?
>
> Those error codes were replaced by standard ones
> (include/sepol/errcodes.h) in the trunk version of libsepol, so you
> would need to build setools against the stable branch version of
> libsepol until they update setools.
thank you.
i play some tricks on the setools :-)
in the spec file of setools-3.1-3.fc7, i find "findcon" and other cmds
had been removed:
rm -f ${RPM_BUILD_ROOT}/usr/bin/findcon
rm -f ${RPM_BUILD_ROOT}/usr/bin/replcon
rm -f ${RPM_BUILD_ROOT}/usr/bin/searchcon
rm -f ${RPM_BUILD_ROOT}/usr/bin/indexcon
rm -f ${RPM_BUILD_ROOT}/usr/share/man/man1/searchcon.1
rm -f ${RPM_BUILD_ROOT}/usr/share/man/man1/indexcon.1
rm -f ${RPM_BUILD_ROOT}/usr/share/man/man1/replcon.1
rm -f ${RPM_BUILD_ROOT}/usr/share/man/man1/findcon.1
rm -rf ${RPM_BUILD_ROOT}%{_includedir}/libsefs/sqlite
so i comment "findcon relative" items, and add corresponding items
in "files" list.
it seems that this kind of "findcon" works.
this is a temporary method, i just want to use findcon to search
certain context
>
>> by the way, i want checkout setools and try again, but tresys "open
>> source project" site can not access, maybe is temporary :-)
>
> Appears to be up now.
>
17 years
Re: fc6 and samba
by selinux@lucullo.it
thank you.. i will try right now...
...but i have a question about the ls -Z command:
can i change the security context of these files
/usr/bin/smb*
that changing the policy rules instead?
thank you again
----- Original Message -----
Da : Daniel J Walsh <dwalsh(a)redhat.com>
A : "selinux(a)lucullo.it" <selinux(a)lucullo.it>
Cc: fedora-selinux-list(a)redhat.com
Oggetto : Re: fc6 and samba
Data : Tue, 27 Mar 2007 11:22:54 -0400
> selinux(a)lucullo.it wrote:
> > hi,
> >
> > my samba installation on fc6 has some problems due to
> > selinux.
> >
> > this is the issue:
> >
> >
> >
> > --------------------------------------------------------
> >
> > Mar 27 16:14:11 francesca kernel:
> > audit(1175004851.436:88): avc: denied { unlink } for
> > pid=3414 comm="winbindd" name="pipe" dev=hda3
> > ino=9886377 scontext=root:system_r:winbind_t:s0
> > tcontext=syste m_u:object_r:samba_var_t:s0
> > tclass=sock_file Mar 27 16:14:11 francesca
> > winbindd[3414]: [2007/03/27 16:14:11, 0]
> > lib/util_sock.c:create_pipe_sock(1308) Mar 27 16:14:11
> > francesca winbindd[3414]: bind failed on pipe socket
> > /var/cache/samba/winbindd_privileged/pipe: Address
> > already in use Mar 27 16:14:24 francesca smbd[3420]:
> > [2007/03/27 16:14:24, 0]
> > rpc_server/srv_netlog_nt.c:get_md4pw(242) Mar 27
> > 16:14:24 francesca smbd[3420]: get_md4pw: Workstation
> > FRANCESCA$: no account in domain Mar 27 16:14:24
> > francesca smbd[3420]: [2007/03/27 16:14:24, 0]
> > rpc_server/srv_netlog_nt.c:_net_auth_2(461) Mar 27
> > 16:14:24 francesca smbd[3420]: _net_auth2: failed to
> > get machine password for account FRANCESCA$:
> > NT_STATUS_ACCESS_DENIED Mar 27 16:14:29 francesca
> > smbd[3421]: [2007/03/27 16:14:29, 0]
> > passdb/pdb_interface.c:pdb_default_create_user(368) Mar
> > 27 16:14:29 francesca kernel: audit(1175004869.820:89):
> > avc: denied { search } for pid=3422 comm="smbd"
> > name="bin" dev=hda2 ino=928929
> > scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:o
> > bject_r:bin_t:s0 tclass=dir Mar 27 16:14:29 francesca
> > smbd[3421]: _samr_create_user: Running the command
> > `/usrbin/smbldap-useradd -w "francesca$"' gave 82
> > Mar 27 16:14:34 francesca smbd[3424]: [2007/03/27
> > 16:14:34, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
> > Mar 27 16:14:34 francesca smbd[3424]: get_md4pw:
> > Workstation FRANCESCA$: no account in domain
> > Mar 27 16:14:34 francesca smbd[3424]: [2007/03/27
> > 16:14:34, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
> > Mar 27 16:14:34 francesca smbd[3424]: _net_auth2:
> > failed to get machine password for account FRANCESCA$:
> > NT_STATUS_ACCESS_DENIED
> > Mar 27 16:14:38 francesca kernel:
> > audit(1175004878.895:90): avc: denied { search } for
> > pid=3426 comm="smbd" name="bin" dev=hda2 ino=928929
> > scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:o
> > bject_r:bin_t:s0 tclass=dir
> > Mar 27 16:14:38 francesca smbd[3425]: [2007/03/27
> > 16:14:38, 0]
> > passdb/pdb_interface.c:pdb_default_create_user(368) Mar
> > 27 16:14:38 francesca smbd[3425]: _samr_create_user:
> > Running the command `/usrbin/smbldap-useradd -w
> > "francesca$"' gave 82 --------------------------------
> >
> >
> > and this is the samba commands:
> >
> > [root@francesca ~]# ls -Zla /usr/bin/smb*
> > -rwxr-xr-x 1 system_u:object_r:bin_t root root
> > 2112904 Feb 7 23:54 /usr/bin/smbcacls
> > -rwxr-xr-x 1 system_u:object_r:bin_t root root
> > 1184704 Feb 7 23:54 /usr/bin/smbclient
> > -rwxr-xr-x 1 system_u:object_r:bin_t root root
> > 748868 Feb 7 23:54 /usr/bin/smbcontrol
> > -rwxr-xr-x 1 system_u:object_r:bin_t root root
> > 2002924 Feb 7 23:54 /usr/bin/smbcquotas
> > -rwxr-xr-x 1 system_u:object_r:bin_t root root
> > 10240 Nov 21 17:21 /usr/bin/smbencrypt
> > -rwxr-xr-x 1 system_u:object_r:bin_t root root
> > 2080808 Feb 7 23:54 /usr/bin/smbget
> > -rwxr-xr-x 1 system_u:object_r:bin_t root root
> > 2006952 Feb 7 23:54 /usr/bin/smbpasswd
> > -rwxr-xr-x 1 system_u:object_r:bin_t root root
> > 2295 Feb 7 23:53 /usr/bin/smbprint
> > -rwxr-xr-x 1 system_u:object_r:bin_t root root
> > 913140 Feb 7 23:54 /usr/bin/smbspool
> > -rwxr-xr-x 1 system_u:object_r:bin_t root root
> > 728000 Feb 7 23:54 /usr/bin/smbstatus
> > -rwxr-xr-x 1 system_u:object_r:bin_t root root
> > 4896 Feb 7 23:53 /usr/bin/smbtar
> > -rwxr-xr-x 1 system_u:object_r:bin_t root root
> > 1093408 Feb 7 23:54 /usr/bin/smbtree
> >
> > how can i fix this problem?
> >
> > thank you in advance.
> >
> > vittorio
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list(a)redhat.com
> >
>
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >
>
> Easiest thing to do is to create a loadable policy module
> and install it. You can do this with the following
> commands.
>
> audit2allow -i /var/log/audit/audit.log -M mysamba
> semodule -i mysamba.pp
>
> This will add the following two rules to policy
>
> allow smbd_t bin_t:dir search; # WHICH I HAVE ALREADY
> ADDED TO THE NEXT FC6 UPDATE.
>
> #============= winbind_t ==============
> allow winbind_t samba_var_t:sock_file unlink; # THIS IS
> CAUSED BY A LABELING PROBLEM, WHICH WILL ALSO BE FIXED IN
> THE NEXT UPDATE.
>
> selinux-policy-2.4.6-48
>
>
>
>
>
>
17 years
selinux problem building dbus
by Justin Conover
On rawhide I was building garnome and dbus was failing with the following:
make[5]: Entering directory
`/home/justin/downloads/garnome-2.18.0/freedesktop/dbus/work/main.d/dbus-
1.0.2/bus'
if cc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -DDAEMON_NAME=\"dbus-daemon\"
-DDBUS_COMPILATION
-DDBUS_SYSTEM_CONFIG_FILE=\""/home/justin/garnome/etc/dbus-1/system.conf"\"
-DDBUS_SESSION_CONFIG_FILE=\""/home/justin/garnome/etc/dbus-1/session.conf"\"
-I/home/justin/garnome/include -I/home/justin/garnome/include
-L/home/justin/garnome/lib -O2 -pipe -Wall -Wchar-subscripts
-Wmissing-declarations -Wmissing-prototypes -Wnested-externs -Wpointer-arith
-Wcast-align -Wsign-compare -Wdeclaration-after-statement -fno-common -fPIC
-MT selinux.o -MD -MP -MF ".deps/selinux.Tpo" -c -o selinux.o selinux.c; \
then mv -f ".deps/selinux.Tpo" ".deps/selinux.Po"; else rm -f
".deps/selinux.Tpo"; exit 1; fi
In file included from selinux.c:37:
/usr/include/selinux/avc.h:307: error: expected ')' before 'event'
/usr/include/selinux/avc.h:311: error: expected ';', ',' or ')' before
'uint32_t'
selinux.c: In function 'bus_selinux_full_init':
selinux.c:309: warning: implicit declaration of function 'avc_add_callback'
selinux.c:309: warning: nested extern declaration of 'avc_add_callback'
make[5]: *** [selinux.o] Error 1
make[5]: Leaving directory `/home/justin/downloads/garnome- 2.18.0
/freedesktop/dbus/work/main.d/dbus-1.0.2/bus'
make[4]: *** [all-recursive] Error 1
make[4]: Leaving directory `/home/justin/downloads/garnome-2.18.0
/freedesktop/dbus/work/main.d/dbus-1.0.2'
make[3]: *** [all] Error 2
make[3]: Leaving directory `/home/justin/downloads/garnome-2.18.0
/freedesktop/dbus/work/main.d/dbus-1.0.2'
make[2]: *** [build-work/main.d/dbus-1.0.2/Makefile] Error 2
make[2]: Leaving directory `/home/justin/downloads/garnome- 2.18.0
/freedesktop/dbus'
make[1]: *** [../../freedesktop/dbus/cookies/main.d/install] Error 2
make[1]: Leaving directory `/home/justin/downloads/garnome-2.18.0
/platform/gnome-vfs'
make: *** [../../platform/gnome-vfs/cookies/main.d/install] Error 2
Joseph helped me track it down to this:
# diff -u /usr/include/selinux/avc.h /usr/include/selinux/avc.h.orig
--- /usr/include/selinux/avc.h 2007-03-27 12:42:21.000000000 -0500
+++ /usr/include/selinux/avc.h.orig 2007-03-27 12:41:21.000000000 -0500
@@ -304,11 +304,11 @@
* -%1 if insufficient memory exists to add the callback.
*/
int avc_add_callback(int (*callback)
- (u_int32_t event, security_id_t ssid,
+ (uint32_t event, security_id_t ssid,
security_id_t tsid, security_class_t tclass,
access_vector_t perms,
access_vector_t * out_retained),
- u_int32_t events, security_id_t ssid,
+ uint32_t events, security_id_t ssid,
security_id_t tsid, security_class_t tclass,
access_vector_t perms);
Was this a change on purpose or should I open a bug against libselinux-devel
17 years
Fwd: winbindd fc6 and selinux
by selinux@lucullo.it
Hi,
can someone tell me if this is a security policy error?
this is a piece of /var/log/messages
kernel: audit(1175003984.841:87): avc: denied { unlink }
for pid=2967 comm="winbindd" name="pipe" dev=hda3
ino=9886377 scontext=system_u:system_r:winbind_t:s0
tcontext=s
ystem_u:object_r:samba_var_t:s0 tclass=sock_file
Mar 27 15:59:44 francesca winbindd[2967]: [2007/03/27
15:59:44, 0] lib/util_sock.c:create_pipe_sock(1308)
Mar 27 15:59:44 francesca winbindd[2967]: bind failed on
pipe socket /var/cache/samba/winbindd_privileged/pipe:
Address already in use
how can i fix it?
thank you in advance
17 years
fc6 and samba
by selinux@lucullo.it
hi,
my samba installation on fc6 has some problems due to
selinux.
this is the issue:
--------------------------------------------------------
Mar 27 16:14:11 francesca kernel: audit(1175004851.436:88):
avc: denied { unlink } for pid=3414 comm="winbindd"
name="pipe" dev=hda3 ino=9886377
scontext=root:system_r:winbind_t:s0 tcontext=syste
m_u:object_r:samba_var_t:s0 tclass=sock_file
Mar 27 16:14:11 francesca winbindd[3414]: [2007/03/27
16:14:11, 0] lib/util_sock.c:create_pipe_sock(1308)
Mar 27 16:14:11 francesca winbindd[3414]: bind failed on
pipe socket /var/cache/samba/winbindd_privileged/pipe:
Address already in use
Mar 27 16:14:24 francesca smbd[3420]: [2007/03/27 16:14:24,
0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
Mar 27 16:14:24 francesca smbd[3420]: get_md4pw:
Workstation FRANCESCA$: no account in domain
Mar 27 16:14:24 francesca smbd[3420]: [2007/03/27 16:14:24,
0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
Mar 27 16:14:24 francesca smbd[3420]: _net_auth2: failed
to get machine password for account FRANCESCA$:
NT_STATUS_ACCESS_DENIED
Mar 27 16:14:29 francesca smbd[3421]: [2007/03/27 16:14:29,
0] passdb/pdb_interface.c:pdb_default_create_user(368)
Mar 27 16:14:29 francesca kernel: audit(1175004869.820:89):
avc: denied { search } for pid=3422 comm="smbd"
name="bin" dev=hda2 ino=928929
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:o
bject_r:bin_t:s0 tclass=dir
Mar 27 16:14:29 francesca smbd[3421]: _samr_create_user:
Running the command `/usrbin/smbldap-useradd -w
"francesca$"' gave 82
Mar 27 16:14:34 francesca smbd[3424]: [2007/03/27 16:14:34,
0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
Mar 27 16:14:34 francesca smbd[3424]: get_md4pw:
Workstation FRANCESCA$: no account in domain
Mar 27 16:14:34 francesca smbd[3424]: [2007/03/27 16:14:34,
0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
Mar 27 16:14:34 francesca smbd[3424]: _net_auth2: failed
to get machine password for account FRANCESCA$:
NT_STATUS_ACCESS_DENIED
Mar 27 16:14:38 francesca kernel: audit(1175004878.895:90):
avc: denied { search } for pid=3426 comm="smbd"
name="bin" dev=hda2 ino=928929
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:o
bject_r:bin_t:s0 tclass=dir
Mar 27 16:14:38 francesca smbd[3425]: [2007/03/27 16:14:38,
0] passdb/pdb_interface.c:pdb_default_create_user(368)
Mar 27 16:14:38 francesca smbd[3425]: _samr_create_user:
Running the command `/usrbin/smbldap-useradd -w
"francesca$"' gave 82
--------------------------------
and this is the samba commands:
[root@francesca ~]# ls -Zla /usr/bin/smb*
-rwxr-xr-x 1 system_u:object_r:bin_t root root
2112904 Feb 7 23:54 /usr/bin/smbcacls
-rwxr-xr-x 1 system_u:object_r:bin_t root root
1184704 Feb 7 23:54 /usr/bin/smbclient
-rwxr-xr-x 1 system_u:object_r:bin_t root root
748868 Feb 7 23:54 /usr/bin/smbcontrol
-rwxr-xr-x 1 system_u:object_r:bin_t root root
2002924 Feb 7 23:54 /usr/bin/smbcquotas
-rwxr-xr-x 1 system_u:object_r:bin_t root root
10240 Nov 21 17:21 /usr/bin/smbencrypt
-rwxr-xr-x 1 system_u:object_r:bin_t root root
2080808 Feb 7 23:54 /usr/bin/smbget
-rwxr-xr-x 1 system_u:object_r:bin_t root root
2006952 Feb 7 23:54 /usr/bin/smbpasswd
-rwxr-xr-x 1 system_u:object_r:bin_t root root
2295 Feb 7 23:53 /usr/bin/smbprint
-rwxr-xr-x 1 system_u:object_r:bin_t root root
913140 Feb 7 23:54 /usr/bin/smbspool
-rwxr-xr-x 1 system_u:object_r:bin_t root root
728000 Feb 7 23:54 /usr/bin/smbstatus
-rwxr-xr-x 1 system_u:object_r:bin_t root root
4896 Feb 7 23:53 /usr/bin/smbtar
-rwxr-xr-x 1 system_u:object_r:bin_t root root
1093408 Feb 7 23:54 /usr/bin/smbtree
how can i fix this problem?
thank you in advance.
vittorio
17 years
target policy 2.5.9-2 in fc7 prevent mono
by NZzi
hi all,
in fc7 rawhide, with target policy 2.5.9-2, will prevent mono
from doing something.
avc: denied { write } for comm="beagled" cwd="/home/yangshao" dev=00:03
egid=500 euid=500 exe="/usr/bin/mono" exit=-13 fsgid=500 fsuid=500
gid=500 inode=55866 item=0 items=1 mode=0100644 name="make-it-fail"
obj=user_u:system_r:unconfined_t:s0 ogid=500 ouid=500
path="/proc/3185/make-it-fail" pid=3091 rdev=00:00
scontext=user_u:system_r:mono_t:s0 sgid=500
subj=user_u:system_r:mono_t:s0 suid=500 tclass=file
tcontext=user_u:system_r:unconfined_t:s0 tty=(none) uid=500
avc: denied { write } for comm="beagled" cwd="/home/yangshao" dev=00:03
egid=500 euid=500 exe="/usr/bin/mono" exit=-13 fsgid=500 fsuid=500
gid=500 inode=55852 item=0 items=1 mode=0100600 name="mem"
obj=user_u:system_r:unconfined_t:s0 ogid=500 ouid=500
path="/proc/3185/mem" pid=3091 rdev=00:00
scontext=user_u:system_r:mono_t:s0 sgid=500
subj=user_u:system_r:mono_t:s0 suid=500 tclass=file
tcontext=user_u:system_r:unconfined_t:s0 tty=(none) uid=500
avc: denied { write } for comm="beagled" cwd="/home/yangshao" dev=00:03
egid=500 euid=500 exe="/usr/bin/mono" exit=-13 fsgid=500 fsuid=500
gid=500 inode=55864 item=0 items=1 mode=0100644 name="oom_adj"
obj=user_u:system_r:unconfined_t:s0 ogid=500 ouid=500
path="/proc/3185/oom_adj" pid=3091 rdev=00:00
scontext=user_u:system_r:mono_t:s0 sgid=500
subj=user_u:system_r:mono_t:s0 suid=500 tclass=file
tcontext=user_u:system_r:unconfined_t:s0 tty=(none) uid=500
avc: denied { write } for comm="beagled" cwd="/home/yangshao" dev=00:03
egid=500 euid=500 exe="/usr/bin/mono" exit=-13 fsgid=500 fsuid=500
gid=500 inode=55865 item=0 items=1 mode=0100644 name="loginuid"
obj=user_u:system_r:unconfined_t:s0 ogid=500 ouid=500
path="/proc/3185/loginuid" pid=3091 rdev=00:00
scontext=user_u:system_r:mono_t:s0 sgid=500
subj=user_u:system_r:mono_t:s0 suid=500 tclass=file
tcontext=user_u:system_r:unconfined_t:s0 tty=(none) uid=500
avc: denied { setattr } for comm="beagled" cwd="/home/yangshao"
dev=00:03 egid=500 euid=500 exe="/usr/bin/mono" exit=-13 fsgid=500
fsuid=500 gid=500 inode=160224 item=0 items=1 mode=0100644
name="oom_adj" obj=user_u:system_r:unconfined_t:s0 ogid=500 ouid=500
path="/proc/3117/oom_adj" pid=3091 rdev=00:00
scontext=user_u:system_r:mono_t:s0 sgid=500
subj=user_u:system_r:mono_t:s0 suid=500 tclass=file
tcontext=user_u:system_r:unconfined_t:s0 tty=(none) uid=500
......
as i know, this problem happens from target policy 2.5.8-8.
i wrote a loadable module, after installing, such problems had not
happened again until now.
there is only a ".te" file in this module:
"
module mymono 1.0;
require {
type unconfined_t;
type mono_t;
class file { write setattr };
}
#============= mono_t ==============
allow mono_t unconfined_t:file { write setattr };
"
can anyone can guide me if the '.te' file has something wrong.
i know, in reference policy, we should use interface, but i am
a newbie for selinux policy, i don't know how to begin writing
policy using interface?
17 years, 1 month
mount.cifs and credentials file
by Dawid Gajownik
Hi!
What's the proper security context of credentials file used by
mount.cifs? samba_selinux did not help me and cifs_t is not what I am
looking for:
audit(1173946014.366:6): avc: denied { read } for pid=2237
comm="mount.cifs" name=".smbcredential-polsl" dev=sda1 ino=2195809
scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:cifs_t:s0
tclass=file
I've got this line in my fstab:
//dionizos/usr /srv/dionizos cifs
credentials=/root/.smbcredential-polsl,uid=gajownik,gid=users,file_mode=0666,dir_mode=0777
0 0
Regards,
Dawid
--
^_*
17 years, 1 month
